Proteggere il DNS per maggiore sicurezza e minori rischi

Transcription

1 Proteggere il DNS per maggiore sicurezza e minori rischi Infoblox Inc. All Rights Reserved. Gianluca Silvestri System Engineer, Exclusive Networks Italy

2 Who is Infoblox and what do they do? Infoblox Inc. All Rights Reserved.

3 Infoblox Overview and Business Update Founded in 1999 Headquartered in Santa Clara, CA, with global operations in 25 countries $300 ($MM) Total Revenue (Fiscal Year Ending July 31) Leader in technology for network control $250 $225.0 $250,3 Market leadership DDI Market Leader (Gartner) 50% DDI Market Share (IDC) 7,900+ customers 85,000+ systems shipped to 100 countries $200 $150 $100 $56,0 $61,7 $102,2 $132,8 $169,2 53 patents, 30 pending $50 $35,0 IPO April 2012: NYSE BLOX $0 FY2007 FY2008 FY2009 FY2010 FY2011 FY2012 FY2013 FY Infoblox Inc. All Rights Reserved.

4 DDI DNS Domain Name System DHCP Dynamic Host Configuration Protocol IPAM IP Address Management Infoblox Inc. All Rights Reserved.

5 Current Customer Network Landscape AUTOMATION END POINTS VIRTUAL MACHINES PRIVATE CLOUD APPLICATIONS CONTROL PLANE Complexity Risk & Cost Agility Flexibility MICROSOFT DNS MICROSOFT DHCP VMWARE DNS UNIX BIND QIP SCRIPTS COMMAND LINE INFRASTRUCTURE FIREWALLS SWITCHES ROUTERS HYPERVISORS LOAD BALANCERS Infoblox Inc. All Rights Reserved.

6 Discover Automate Manage Control Infoblox Inc. All Rights Reserved.

7 With Infoblox AUTOMATION END POINTS VIRTUAL MACHINES PRIVATE CLOUD APPLICATIONS CONTROL PLANE Infrastructure Security Infoblox Grid TM w/ Real-time Network Database Historical / Real-time Reporting & Control INFRASTRUCTURE FIREWALLS SWITCHES ROUTERS HYPERVISORS LOAD BALANCERS Infoblox Inc. All Rights Reserved.

8 Market Drivers For DNS, DHCP and IPAM Infoblox Inc. All Rights Reserved.

9 IP Devices Remember When? Infoblox Inc. All Rights Reserved. 9

10 What About Today? SDN 4 7 IP s are consumed by every employee at work 37% of companies are managing > 50,000 IPs Infoblox Inc. All Rights Reserved.

11 Customers Need Commercial Grade IPAM X NOT THIS! Infoblox Inc. All Rights Reserved.

12 The Use Case for Commercial Grade IPAM What are the challenges of Legacy IPAM? How do you detect changes? What s the impact of an outage? How do you automate? Virtual and cloud networks? Mobility and IP device growth IPv6 and DNSSEC Data center virtualization How do you handle audits? No centralized reporting No historical trending No effective audit prep Infoblox Inc. All Rights Reserved.

13 IPAM with Infoblox Infoblox Inc. All Rights Reserved.

14 Infoblox IPAM in IP Mapping Mode Infoblox Inc. All Rights Reserved.

15 IPAM Discovery Information Detailed view of what s using that IP Discovers virtual and physical devices Search by any field on one or more criteria Save criteria information to a Smart Folder Create custom smart folder of networks and other attributes Results updated automatically with any network changes Infoblox Inc. All Rights Reserved.

16 Dynamic Host Control Protocol (DHCP) Infoblox Inc. All Rights Reserved.

17 What is DHCP? What is it? Dynamic Host Configuration Protocol Dynamically provides IP addresses to devices What is it equivalent to? Borrowing a book from a Library Or renting a car Who and what needs it? Laptops & Desktops Virtual Servers (and sometimes physical) Non-shared devices (mobile) Any LAN or WAN device/server Performance measured in Leases per second Infoblox Inc. All Rights Reserved.

18 Infoblox Offers Device Fingerprinting Detect, secure, enforce policy Visibility to BYOD device types Enforce connectivity by device type Enforce corporate device use policy Block selected OS s Focused DHCP reporting Lease history w/ DHCP fingerprint data Number of device operating systems Device OS trend Infoblox Inc. All Rights Reserved.

19 Domain Name System (DNS) Infoblox Inc. All Rights Reserved.

20 What is DNS? What is it? Domain Name System Connects devices to Internet What is it Equivalent to? Phone book for the internet What is an Example? google.com infoblox.com Who and what needs it? Web Browsing Microsoft Active Directory Everything! Performance measured in Queries per second Infoblox Inc. All Rights Reserved. 20

21 DNS Use Case Centralization and OPEX Infoblox GUI/Wizard Or BIND CLI* *Command Line Interface // Filename: /etc/named.conf options { directory "/etc/domain"; }; // zone "." { type hint; file "named.root"; // This file should be picked up from }; // ftp://ftp.rs.internic.net/domain/named.root zone "localhost" { type master; file "localhost"; }; zone " in-addr.arpa" { type master; file " "; zone "company.xy" { // The file "company.xy" should reside in type master; // the /etc/domain/ directory, and you file "company.xy"; // have to create it yourself. }; Infoblox Inc. All Rights Reserved.

22 DNS Use Case - Performance Infoblox Inc. All Rights Reserved.

23 Is Your Customer s DNS Service Secure? Infoblox Inc. All Rights Reserved.

24 DNS is Now the #2 Attack Vector Protocol Source: Arbor Networks DNS 8.94% 67% of all known attack vectors were DNS based 46% of large companies have experienced a DNS attack 76% of those reported a DDoS attack on DNS servers Infoblox Inc. All Rights Reserved.

25 Why is DNS an Ideal Target? DNS is the cornerstone of the Internet DNS traffic has been increasing by 95% annually since 2012! DNS protocol is easy to exploit. DNS has been around for over 30 years! Traditional protection is ineffective against evolving DNS threats Companies are at risk of sensitive data loss! DNS Outage = Business Down Time Infoblox Inc. All Rights Reserved.

26 Infoblox Inc. All Rights Reserved. DNS Firewall

27 APTs: The New Threat Landscape Malicious traffic is visible on 100% of corporate networks 1 Every 1 minute, a bot communicates with its command and control center 2 Malicious attacks can take an average of 256 days to identify 3 Average total cost of data breach is $3.8 million, intangible loss higher 3 APTs rely on DNS at various stages of the cyber kill chain to infect devices, propagate malware, and exfiltrate data Source: 1. Cisco 2014 Annual Security Report, 2. Check Point 2015 Security Report, 3. The Ponemon Institute 2015 Cost of Data Breach Study: Global Analysis Infoblox Inc. All Rights Reserved.

28 Malware/APT Trends 100% companies are calling malicious malware hosts* Point solutions fail because malware is sophisticated Multiprotocol Multiple connections Encrypted, which means deep-packet inspection is ineffective * Source: Cisco 2014 Annual Security Report Infoblox Inc. All Rights Reserved.

29 DNS Tunneling Uses DNS as a covert communication channel to bypass firewalls Attacker tunnels other protocols like SSH, TCP, or web within DNS Enables attackers to easily pass stolen data or tunnel IP traffic without detection A DNS tunnel can be used as a full remote-control channel for a compromised internal host Impact: Data exfiltration or malware insertion can happen through the tunnel IP traffic Encoded IP in DNS queries Internet INTERNET ENTERPRISE DNS terminal server Client-side tunnel program Infoblox Inc. All Rights Reserved.

30 Malware Examples CryptoLocker Targets Windows-based computers in form of attachment Upon infection, encrypts files on local hard drive and mapped network drives If ransom isn t paid, encryption key deleted and data irretrievable Gameover Zeus (GOZ) 500,000 1M infections globally and100s of millions of dollars stolen Uses P2P communication to control infected devices or botnet Takes control of private online transactions and diverts funds to criminal accounts Infoblox Inc. All Rights Reserved.

31 Data Exfiltration over DNS Queries Malware Steals File Containing Sensitive Data Infected endpoint gets access to file containing sensitive data It encrypts and converts info into encoded format Text broken into chunks and sent via DNS using hostname.subdomain or TXT records Exfiltrated data reconstructed at the other end Can use spoofed addresses to avoid detection Attacker controller serverthief.com (C&C) C&C commands DNS server NameMarySmith.foo.thief.com MRN foo.thief.com DOB foo.thief.com Data INTERNET ENTERPRISE Infected endpoint NameMarySmith.foo.thief.com MRN foo.thief.com DOB foo.thief.com Infoblox Inc. All Rights Reserved.

32 Infoblox Solution Infoblox Inc. All Rights Reserved.

33 Infoblox Security Approach Visibility Protection Response See attacks, infections, and dataexfiltration attempts in the network Protect infrastructure and data from attacks and malicious agents Enable rapid response by providing contextual information on infections Infoblox Inc. All Rights Reserved.

34 The Solution: Infoblox Internal DNS Security Deep inspection of DNS traffic to drop attacks and block data exfiltration through DNS tunneling Adaptive APT/malware protection to stop propagation of malware and prevent infected devices from stealing data Automated threat intelligence feed to provide ongoing protection against new attacks, APTs, and malware Comprehensive DNS security without the need for endpoint agents Hardware accelerated DNS DDOS mitigation maintains system integrity under attack Infoblox Inc. All Rights Reserved.

35 Internal DNS Security Infoblox Automated Threat Intelligence Service INTERNET Updates for DNS attacks and malicious domains Firewal l ENTERPRISE Infoblox Internal DNS Security x xx x x Badsite1.com Badsite2.com Badsite3.com SSN: foo.thief.co m DOB foo.thief.com Good.com Attacker Thief Badsite1.com Legitimate Query DNS DDoS attacks detected and dropped Data exfiltration detected and dropped Malware site blocked Infoblox Inc. All Rights Reserved.

36 Protection Against APTs/Malware Malicious Domains Infoblox threat update device IPs, Domains, ect. of Bad Servers INTERNET Malware/APT INTRANET 1 2 Malware/APT spreads within network; calls home An infected device brought into the office. Malware spreads to other devices on network. Malware makes a DNS query to find home (botnet / C&C). DNS Firewall looks at the DNS response and takes admin-defined action (disallows communication to malware site or redirects traffic to a landing page or walled garden site). Pinpoint. Infoblox Reporting lists DNS An update will occur every 2 hours (or 3 4 Firewall action as well as the: more often for significant threat). Device IP address Device MAC address Device type (DHCP fingerprint) Device host name Device lease history Blocked communication attempt sent to Syslog Infoblox Internal DNS Security FireEye detonates and detect SPT based Malware 5 Additional threat intelligence from sources outside Infoblox can also be used by DNS Firewall (e.g. FireEye) Infoblox Inc. All Rights Reserved.

37 Types of APT/Malware Blocked Fast flux Rapid changing of domains and IP addresses by malicious domains to obfuscate ID and location DGA Malware that randomly generates domains to connect to malicious networks or botnets APT Geo- Based Malware designed to spread, morph, and hide within IT infrastructure to perpetrate long-term attack Can block access to geos with many malicious domains or that have economic sanctions by governance Infoblox Inc. All Rights Reserved.

38 Protection Against Data Exfiltration via DNS Tunnel Focuses on large size requests and responses Detects too-many, too-large requests in a given timeframe Drops beyond these thresholds Signatures are used to detect well known tunneling tools Infoblox Inc. All Rights Reserved.

39 Contextual Reporting Intelligence Needed to Take Action Attack details by category, member, rule, severity, and time Drill-down analytics and visualization of entire network List of top infected clients with associated user names (enabled by Microsoft AD integration) CISO/Executive report with top APT/malware threats Infoblox Inc. All Rights Reserved.

40 Infoblox Complements Other Solutions Next generation firewall IDS/IPS Web proxy/ gateway Antimalware Solution Focus Perimeter protection from network and application threats and usually allows DNS traffic Anomaly detection and heuristics to detect and block malware Filtering of unwanted software and malware from internal userinitiated web/internet traffic Protecting the endpoint against viruses, worms and other malware by means of signatures Infoblox Complements Each Solution DNS threat intelligence feed offers defense-in-depth protection against APT/malware-based communications to C&C servers Because of its unique position in the network, can more easily identify and protect against advanced DNS evasion techniques like Fast Flux and DGAs Identifies and protects against advanced DNS evasion techniques like Fast Flux and DGAs Detects attacks disguised within encrypted communications Identifies infected endpoints based on user ID, IP address, MAC address Detects malware within multiple types of traffic, not just Web Identifies and protects against advanced DNS evasion techniques like Fast Flux and DGAs Identifies infected endpoints based on user ID, IP address, MAC address and other unique identifiers Provides defense-in-depth by stopping a broad set of malware Provides easy coverage for endpoints that can t or don t have endpoint agents installed Identifies infected endpoints based on user ID, IP address, MAC address Infoblox Inc. All Rights Reserved.

41 Key Benefits of Infoblox DNS Firewall PROACTIVE INSIGHTFUL ADAPTABLE Proactive detection and mitigation of APT/malware threats FireEye integration for DNS level APT disruption Help prevent data exfiltration Pinpointing infected devices Threat severity and impact data Contextual reporting, alerts, and incident notification Automated threatupdate service No downtime/patching Scalable protection Infoblox Inc. All Rights Reserved.

42 Malware Assessment Program (MAP) Infoblox Inc. All Rights Reserved.

43 Send Us Your PCAP Files Infoblox analyzes and provides insights on malicious activity in seconds Report on findings to take back to management Infoblox Inc. All Rights Reserved.

44 Malware Assessment Program Scopo del programma Lo scopo del Malware Assessment Program (MAP) è informare i tuoi clienti, potenziali ed esistenti, dei malware che si trovano all'interno del loro ambiente, fornendo loro un dettagliato rapporto sulla loro infrastruttura. Tale rapporto mostrerà le query rivolte tramite i loro server DNS a siti o indirizzi pericolosi noti e illustrerà al cliente come proteggersi dai malware integrando la propria infrastruttura di sicurezza corrente con Infoblox DNS Firewall. Infoblox fornirà le informazioni necessarie a rendere consapevoli i tuoi clienti, potenziali ed esistenti, dei rischi all'interno dei loro ambienti e lo scopo è quello di far sì che effettuino una packet capture (PCAP) in modo che possiamo individuare il traffico dannoso all'interno del loro ambiente Infoblox Inc. All Rights Reserved.

45 Malware Assessment Program Come effettuare una packet capture (PCAP) Una packet capture ci aiuta a individuare la comunicazione malware con DNS in posizioni dannose note. Per catturare il traffico, andrà individuato il Server DNS interno nell'ambiente del tuo cliente. Andrà poi chiesto al cliente di effettuare una packet capture di minuti sul traffico in entrata e in uscita sul server DNS. Se il cliente è in grado di farlo, andrà richiesto che la cattura del traffico filtri solo il traffico basato sul DNS. Potrete salvare e caricare la packet capture effettuata sulla Cartella di archiviazione Infoblox online al seguente link: i Infoblox Inc. All Rights Reserved.

46 Malware Assessment Program Cosa ti offriamo in cambio Infoblox prenderà la packet capture e la riproporrà al nostro feed RPZ per trovare i dettagli di traffico relativi al malware che sta cercando di contattare siti pericolosi noti tramite indirizzo IP o nomi DNS. Genereremo un rapporto personalizzato che individua il tipo di malware associato alla query dannosa e ne classifica il livello di pericolo. Tale rapporto può essere trasmesso al tuo cliente per determinare i passi successivi Infoblox Inc. All Rights Reserved.

47 Malware Assessment Program Cosa ci guadagni? Diventerai il punto di riferimento affidabile e competente per tutti i tuoi clienti che hanno questo tipo di problema. Aumenterai le tue opportunità di vendita sul budget di security dei tuoi clienti Una carta regalo da $250 per ogni PCAP approvata!!! La richiesta deve essere inviata tramite Partner Central e approvata da Infoblox. Le informazioni del cliente saranno trasmesse nel modulo di richiesta. Contattare il tuo commerciale di riferimento per qualsiasi informazione Infoblox Inc. All Rights Reserved.

48 Thank You Infoblox Inc. All Rights Reserved.